BREAKING INTO SOFTWARE DEFINED RADIO

Presented by Kelly Albrink

WHOAMI
Kelly Albrink
• Pentester at Bishop Fox
• Specialize in network, wireless, and hardware security
• Member of Noisebridge Hackerspace in San Francisco
• Loves 3D printing, science fiction, and reading your emails
@Justified_Salt
 It’s pretty
much useless

QUESTION
WHY SHOULD
YOU CARE?
RF IS MAGIC

https://creativemarket.com/yami.leth
 AGENDA
1. Radio basics
2. Software Defined Radio (SDR) Hardware and Software
3. How hackers use SDR

Disclaimer: We’re not going to talk specifically or in depth about Ham radio hacking.
BECOMING
A HAM • You get transmit privileges
on amateur bands
• Three levels of ham licenses:
Technician, General, Extra
• Each license level allows additional
frequencies & privileges
• Contests, fox hunting, DXing,
collecting QSL cards
• Communicate
with the ISS
• Packet radio, Echolink
QUESTION
WHAT IS
RF?
TERMINOLOGY
Wavelength and Frequency
WAVELENGTH

WAVELENGTH: • Long wavelength

The actual distance between • Low frequency

the peaks of 2 waves. • Low energy

ONE SECOND ONE SECOND

• Short wavelength
• High frequency
FREQUENCY:
• High energy
How many waves pass
per second.
ANALOG MODULATION
You’re telling me the files are in the wave?

OOK
Pulse Modulation or On Off Keying

AM
Amplitude Modulation

FM
Frequency Modulation

PM
Phase Modulation
DIGITAL MODULATION
You’re telling me the files are in the wave?

ASK
Amplitude Shift Keying

FSK
Frequency Shift Keying

PSK
Phase Shift Keying
 RF BANDS

VLF
LF MF HF VHF UHF SHF EHF
ELF

Very or Extremely Low Medium High Very High Ultra High Super High Extremely High
Low Frequency Frequency Frequency Frequency Frequency Frequency Frequency Frequency

3-30KHz 30-300KHz 300KHz-3MHz 3MHz-30MHz 30MHz-300MHz 300MHz-3GHz 3GHz-30GHz 30GHz-300GHz

 RF BANDS
VLF-ELF-LF

• Mostly government use

• Maritime radio navigation
• Submarines

VLF
LF MF HF VHF UHF SHF EHF
ELF

Very or Extremely Low Medium High Very High Ultra High Super High Extremely High
Low Frequency Frequency Frequency Frequency Frequency Frequency Frequency Frequency

3-30 KHz 30-300KHz

 RF BANDS
MF

• AM Radio
• Aviation Radio

VLF
LF MF HF VHF UHF SHF EHF
ELF

Very or Extremely Low Medium High Very High Ultra High Super High Extremely High
Low Frequency Frequency Frequency Frequency Frequency Frequency Frequency Frequency

300KHz-3MHz
 RF BANDS
HF

• Amateur Radio
• “short wave”
• NFC/RFID
• Weather Broadcast

VLF
LF MF HF VHF UHF SHF EHF
ELF

Very or Extremely Low Medium High Very High Ultra High Super High Extremely High
Low Frequency Frequency Frequency Frequency Frequency Frequency Frequency Frequency

3MHz-30MHz
 RF BANDS
VHF

• FM Radio
• VHF Television

VLF
LF MF HF VHF UHF SHF EHF
ELF

Very or Extremely Low Medium High Very High Ultra High Super High Extremely High
Low Frequency Frequency Frequency Frequency Frequency Frequency Frequency Frequency

30MHz-300MHz
 RF BANDS
UHF

Most Modern RF Tech:

• Wi-Fi • Mobile/4G
• UHF television • Car keys
• Microwaves • RC toys
• GPS

VLF
LF MF HF VHF UHF SHF EHF
ELF

Very or Extremely Low Medium High Very High Ultra High Super High Extremely High
Low Frequency Frequency Frequency Frequency Frequency Frequency Frequency Frequency

300MHz-3GHz
 RF BANDS
SHF

• Wi-Fi
• Satellite Communications

VLF
LF MF HF VHF UHF SHF EHF
ELF

Very or Extremely Low Medium High Very High Ultra High Super High Extremely High
Low Frequency Frequency Frequency Frequency Frequency Frequency Frequency Frequency

3GHz-30GHz
 RF BANDS
EHF

• Radio Astronomy
• More Satellites

VLF
LF MF HF VHF UHF SHF EHF
ELF

Very or Extremely Low Medium High Very High Ultra High Super High Extremely High
Low Frequency Frequency Frequency Frequency Frequency Frequency Frequency Frequency

30GHz-300GHz
QUESTION
SO, WHAT IS
SOFTWARE
DEFINED RADIO?
RADIO HARWARE
COMPONENTS: TRANSMITTER

• Antenna Microphone Antenna

• Transmitter
Modulator Amplifier
• Receiver
• Amplifiers
• Filters RECEIVER
• Modulators/Demodulators

Antenna Loud Speaker

Audio
Amplifier Demodulator Amplifier
 REQUIRED
HARDWARE
CHOOSING AN SDR

TUNER RANGE
The range of frequencies the radio can see

TRANSMIT CAPABILITY
Some platforms are receive only

SAMPLE RATE
Limits the max observable bandwidth at one time

DYNAMIC RANGE / ADC RESOLUTION

Bits per sample value
POPULAR SDR PLATFORMS
Transmit Max Sample
Hardware Platform Tuner Range ADC Cost
Capability Rate

RTL-SDR ~50MHz - 1.7GHz Receive Only 3.2 MSPS 8 bits $25

HackRF 10MHz - 6GHz Half Duplex 20 MSPS 8 bits $330

Full Duplex
LimeSDR 100kHz - 3.8GHz 61.44 MSPS 12 bits $299
(4ch)

Full Duplex
LimeSDR mini 10MHz- 3.5GHz 30.72 MSPS 12 bits $159
(2ch)

Full Duplex
BladeRF 300MHz - 3.8GHz 40 MSPS 12 bits $420
(4ch)
ANTENNAS
Outdoor Antennas

DIY Antenna
Basic Indoor Antennas
SIGNAL REVERSE ENGINEERING
WORKFLOW:

STEP 1
GOALS
Find the signal Identify the following:
• Frequency
STEP 2 • Bandwidth
Capture the signal • Modulation
• Symbol rate/ Data rate/ Baud rate
STEP 3 • Packet structure elements
(Preamble, Sync Word, CRC, Fields, Field sizes)
Analyze the signal
STEP 1
FIND THE SIGNAL

In these examples we’re going to be looking at some car key fobs

STEP 1
FIND THE SIGNAL
Use the FCC ID to quickly identify the frequency/bandwidth
STEP 1
FIND THE SIGNAL
Use the FCC ID to quickly identify the frequency/bandwidth
STEP 1
FIND THE SIGNAL

Confirm the frequency

& bandwidth
with a tool like GQRX,
SDR#, or Baudline
Watch in action:
https://youtu.be/RAoW
L7dLnME
STEP 2
CAPTURE THE SIGNAL
• Frequency
• Sample rate /
bandwidth
• # of Samples to read
• Gain (usually optional)
• Output file name/type:
• .cfile
• .cu8
• .cs8
• .cs16
STEP 3 GOAL
Go from signal to bits:
ANALYZE THE SIGNAL • Identify modulation type
• Symbol rate/baud rate/data rate/
• Identify protocol elements:
• Preamble & Sync Word
• Packet structure

Tools
• Inspectrum
• DspectrumGUI
• Universal Radio Hacker
 Watch it in action:
https://youtu.be/M6vUJbav1VE
Watch it in action: https://youtu.be/M6vUJbav1VE
 SPIES IN THE SKIES
DEFCON25

JASON HERNANDEZ SAM RICHARDS JEROD MACDONALD-EVOY JOHN WISEMAN*

@jason_nstar @minneapolisam @jerodmacevoy @lemonodor
DRIVE IT LIKE YOU HACKED IT
DEFCON23

SAMY
KAMKAR
@samykamkar

Fixed Code Garages Where does one code De Bruijn Sequence

end and the other begin?
8-12 bit code For every 8 to 12 bit
~2ms per bit + ~2ms delay garage code
5 signals per transmission ((2**12)+11)*
(((2**12)*12) + 4ms / 2 =
((2**11)*11) + 8214ms =
((2**10)*10) +
((2**9)*9) + 8.214 seconds
((2**8))*8)) = 88576 bits
88576 bits * (2ms signal + 2ms delay) * 5 transmissions
= 1771520ms = 1771 secs = 29.5 minutes
OTHER COOL HACKS

BALINT SEEBER
@minneapolisam
Rick Rolls San Francisco with emergency broadcast towers
With “All Your RFz Are Belong to Me” Defcon 21

KRISTIN PAGET
@KristinPaget
GSM hacks with “Practical Cellphone Spying
Defcon18
TOOLS WE COVERED
• GnuRadio-companion
• GQRX
• Baudline
• SDR#
• Inspectrum
• DspectrumGUI
• Universal Radio Hacker (urh)
QUESTIONS?
THANK
YOU